Can´t ping P2P from P2S
Hi,
I’m fairly new to working with VPN connections, so I might be missing something obvious here.
I have set up a VPN connection (P2P) to an external network. I can successfully ping this server from my virtual network via my virtual machine.
Now, I have configured a P2P connection to the same network as my virtual machine. Through this P2P connection, I can ping my VM, and the P2P connection does show a route to the P2P itself. However, I am unable to ping any IPs through the P2P connection.
I have tried adding custom routing in my VM without success and have also tested BGP, but that didn’t work either.
I also encountered an error when trying to ping from P2P to P2P (see below). However, I’m unsure what might actually be causing the issue.
Packet drop is detected
Diagnose connectivity issues related to Packet drop Azure VPN gateway has detected packet drops at 1/20/2025 10:14:58 PM. Detailed information: [Source] 10.0.x.x:0 [Destination] 192.68.x.x:0 [Protocol] 1. Recommended Steps This issue occurs due to one of the following reasons:
- On-premises devices refused the Quick Mode (QM) or the devices have restrictions on supporting multiple QMs.
- Traffic selectors don't match between Azure VPN gateway and on-premises device: ensure your IPsec configurations on the on-premises device is compatible with Azure VPN gateway.
- A corresponding tunnel for the traffic may not be connected: ensure the connections are shown in Connected state. If the connections are not connected, try to troubleshoot the connections from Azure portal.
(10.0.x.x is my P2S and 192.68.x.x is the VPN connection (P2P).)
**
And yes, I don’t have any Firewall or NSG enabled at the moment.
Azure VPN Gateway
-
Ganesh Patapati • 6,915 Reputation points • Microsoft External Staff • Moderator
2025-01-21T21:53:08.3466667+00:00 Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
It appears that you are encountering problems with your Point-to-Site (P2S) VPN connection to an external network, specifically with packet drops and connectivity issues.
- Can I get Network Diagram to understand what kind of connection you are trying here.
Meantime,
- If the on-premises device is rejecting Quick Mode, please review the IPsec configuration on the device. Confirm that it supports multiple Quick Modes if multiple tunnels are in use.
- Please verify that the local and remote subnets are accurately matched and aligned.
- Use tracert to trace the path packets take to their destination. This can assist in pinpointing where packet loss is occurring.
- Verify that the IPsec/IKE settings on your on-premises device match those required by Azure. Mismatched settings can lead to packet drops and connectivity issues.
- kindly share me the screenshot of the Ping test.
Hope this helps.
Please let us know if we can be of any further assistance here.
Thanks,
Ganesh
-
Ganesh Patapati • 6,915 Reputation points • Microsoft External Staff • Moderator
2025-01-22T21:49:34.8033333+00:00 Hello Thomas Finbom
Good day!
Could you please review the last comment and provide the necessary information to continue the discussion?
If you need any further assistance, please feel free to reach out. We are happy to help.
Regards,
Ganesh
-
Thomas Finbom • 5 Reputation points
2025-01-23T09:14:04.33+00:00 Hello, thank you for your response!
As I mentioned, I am fairly new to Azure, and I can't seem to find a Network Diagram. The only thing I can find is under Virtual Network -> Diagram, but it only shows my subnets. Could you help clarify?
- As the external network is managed by another company, I have contacted their network administrator and asked them to confirm whether their VPN gateway supports multiple Quick Modes.
(EDIT): Got this answer: "The firewall ASA is supporting multiple s2s tunnels". - On the Azure side, I have correctly configured the local network gateway with the relevant address space for the external network. The subnets on my side do not overlap with the external network, and I have ensured that routing is correctly set up.
- Traceroute gives nothing (when i am connected with p2s):
traceroute to 192.68.x.x (192.68.x.x), 64 hops max, 40 byte packets 1 * * *
- I have verified that the IPsec/IKE settings on our on-premises device match those required by Azure. The configurations are aligned. Additionally, I have confirmed that the same settings are applied to our P2S connection as well.
- Ping gives nothing (when i am connected with p2s):
PING 192.68.x.x (192.68.x.x): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ^C --- 192.68.x.x ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss
- As the external network is managed by another company, I have contacted their network administrator and asked them to confirm whether their VPN gateway supports multiple Quick Modes.
-
Ganesh Patapati • 6,915 Reputation points • Microsoft External Staff • Moderator
2025-01-23T18:45:21.08+00:00 Hello Thomas Finbom
We appreciate your patience!
I need bit more information
- Is the on-premises firewall policy-based or route-based?
- Are you using any specific policies or traffic selectors?
- In the Azure local network gateway, is the [use policy-based traffic selectors] option enabled?
- If you are using a policy-based VPN, please ensure that the traffic selectors are set for both P2P and P2S ranges in both Azure and the on-premises firewall.
- When pinging the P2P machine from a P2S machine, please monitor the traffic in the intermediate hops.
Regards,
Ganesh
-
Thomas Finbom • 5 Reputation points
2025-01-23T20:10:45.6933333+00:00 Thanks again
- On-premises is policy-based.
- Yes, I use traffic selectors to be able to connect with Vpn Connection P2P.
- [use policy-based traffic selectors] is enabled, yes.
- The on-premises firewall is currently only allowing traffic from my NAT VM’s IP.
- This goes in a loop in my P2S when I ping the P2P:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on utun4, link-type NULL (BSD loopback), snapshot length 524288 bytes 21:07:02.493630 IP 10.0.x.x > evry-owned-address-192_68_x_x.hidden-host.evry.com: ICMP echo request, id 62286, seq 0, length 64 21:07:03.498834 IP 10.0.x.x > evry-owned-address-192_68_x_x.hidden-host.evry.com: ICMP echo request, id 62286, seq 1, length 64
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-28T07:01:32.9033333+00:00 Hope you are doing well.
Can you please confirm which server (Azure resource) you are pinging from the VPN (On-Prem) device after connecting to the VPN (P2S)? If it's an Azure VM, the DNS will be taken from Azure. If it's an On-Prem machine, please make sure to add the local host entry or use a DNS resolver.
Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview
-
Thomas Finbom • 5 Reputation points
2025-01-28T08:45:31.8533333+00:00 I have tested adding a local host entry for the IP addresses I am trying to ping, but I am still getting a timeout.
The machine I am trying to reach is an On-Prem machine.
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-28T09:20:17.2733333+00:00 Thanks for your reply.
Can you please share the DNS results from the VPN-connected machine and also confirm which Azure resource you are trying to access?
-
Thomas Finbom • 5 Reputation points
2025-01-28T10:00:06.2533333+00:00 Hi,
I ran the
nslookup
command from my local machine, which is connected via the P2P VPN. Below are the results:- DNS Results
> nslookup 192.68.x.x Server: <DNS server IP> Address: <DNS server IP>#53 Non-authoritative answer: 83.83.68.192.in-addr.arpa name = evry-owned-address-192_68_x_x.hidden-host.evry.com.
2.Azure Resource:
I am trying to access a machine on an external network via the P2P VPN. The machine’s IP is 192.68.x.x.Thanks.
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-28T10:30:16.3333333+00:00 We appreciate your patience!
What do you mean by machine? Are you trying to connect to an Azure Virtual Machine in the same VNet, which is being accessed from a device connected via VPN?
-
Thomas Finbom • 5 Reputation points
2025-01-28T10:37:55.9033333+00:00 By "machine," I am referring to a device on an external network (outside of Azure), connected via a VPN Connection with a Shared Pre-shared Key. I am trying to communicate with this external device through my P2S VPN connection, which is set up between my local machine and Azure.
My OpenVPN client shows route tables to this external network when connected, but I am still unable to reach or ping the external devices.
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-28T11:31:36.05+00:00 Could you please clarify the below point?
**
I am trying to communicate with this external device through my P2S VPN connection. By 'external device,'** do you mean devices that are in Azure or outside of Azure, which you are trying to access from the VPN device? If it's in Azure, what is the Azure resource name? -
Thomas Finbom • 5 Reputation points
2025-01-28T14:29:28.8166667+00:00 Apologies if I’m not explaining this clearly – I’m still quite new to working with VPN configurations.
By "external device," I am referring to a system that is outside of Azure, connected via a Local Network Gateway. In Azure, I have configured a VPN Connection resource (simply called "Connection" in Azure) that links to this external system.
I am trying to communicate with this external system by connecting from my local machine via a P2S VPN Connection to Azure, and from there, using the Connection resource to reach the external system.
Additionally, in my Virtual Network in Azure, I have a Virtual Machine. This VM can successfully communicate with the external system through the Connection resource, so the issue seems to be specifically related to accessing the external system from my P2S VPN connection.
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-29T05:10:16.87+00:00 If you connect to a P2S VPN on an external device, you can only access Azure resources within the VPN's associated VNet. For example, if your P2S VPN is connected to VNet1, you will only be able to access resources within VNet1. You will not be able to access resources in other VNets or external devices that are not part of VNet1.
Please feel free to ask if you have any queries.
-
Thomas Finbom • 5 Reputation points
2025-01-29T12:49:15.8933333+00:00 Thanks for the info!
So, just to confirm—there’s no way to make this work using something like NAT redirects or custom routes for my P2S connection?
I have managed to solve the issue now, but with a rather odd workaround:
P2S → SSH to VM → P2P.
I was hoping there would be a better way… -
Thomas Finbom • 5 Reputation points
2025-01-29T12:52:09.4+00:00 double post.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-30T06:37:26.37+00:00 Can you please confirm if this is S2S or P2P? If it's S2S, you may need to follow the process below. First, you will need to connect to the P2S VPN on an external device to access the VNet. If the VNet is already configured with S2S, then you can access the external device.
P2S → Azure VNet (VPN Gateway) → S2S → On-Prem.
There is no way to access it without connecting to S2S.
-
Thomas Finbom • 5 Reputation points
2025-01-30T08:58:29.3333333+00:00 Thanks for your response! Let me clarify my setup further.
- I have a P2S VPN connection from my local machine to Azure.
- I also have a P2P VPN Connection (not S2S) in Azure, which connects to an external network via a Local Network Gateway.
- Since I couldn't reach the external network directly from my P2S VPN, I used a workaround: P2S → SSH to Azure VM → P2P.
Answering your questions:
@ "Is the P2P network the same as the Azure VM network or the public network?"
- The P2P network is external to Azure. My Azure VM is in the same Azure VNet as the VPN Gateway, but the P2P network is a separate, external network.
@ "How do you route traffic from the VM to the P2P network?"
- The Azure VM is in the same VNet as the VPN Gateway.
- The P2P VPN Connection in Azure establishes a route to the external network via the Local Network Gateway.
- The Azure VM can communicate with the P2P network without issues (this confirms that routing from Azure to the external network works).
- However, my P2S VPN cannot directly access the P2P network, which is why I had to use the SSH workaround.
@ "Is this S2S or P2P?"
- This is a P2P VPN Connection, not an S2S connection.
- The external network is not part of another Azure VNet—it is an on-premises or external system connected via P2P.
-
Venkat V • 2,545 Reputation points • Microsoft External Staff • Moderator
2025-01-30T11:30:04.4433333+00:00 Thanks for the replay.
I also have a P2P VPN Connection (not S2S) in Azure? Can you please share the P2P VPN screenshot for more clarification?
-
KapilAnanth-MSFT • 49,611 Reputation points • Microsoft Employee • Moderator
2025-01-30T14:47:07.22+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
From the discussion you had with Ganesh Patapati and Vallepu Venkateswarlu, I take it that
- You have a 3rd party service running in an Azure VM(NVA) that is connecting the NVA to an External Network
- This is called P2P
- This NVA is also able to provide access to other VMs in the VNET to the External Network
- You have a VPN Gateway in the same VNET and you have configured P2S Connecting Remote devices
- Now your requirement is to provide access from the Remote Devices to the External Network
Analysis:
- If you were to use Azure VPN Gateway (S2S) along with P2S, then P2S clients will be advertised the External Network's address space
- Since you are using a 3rd party NVA/application
- I would suggest you reach out to the 3rd party's Community/Support to get more details on the configuration.
- Experts on Microsoft Q&A may have expertise over Azure products (such as VPN Gw) but the same cannot be said for other 3rd party services.
With the above said,
- You can advertise the External Network's routes manually using : Advertise custom routes for P2S VPN clients
- This would make the traffic to External Network's to reach the VPN Gw
- However, you should also take care of forwarding the traffic from the VPN Gw to the NVA VM
- Attach a Route Table on the GatewaySubnet, to forward the traffic from VPN Gw to the NVA VM
- Destination IP addresses/CIDR ranges : External Network's range
- Next hop type : Virtual appliance
- Next hop address : Private IP of the NVA VM
- Now, from this NVA - you should make sure the traffic goes to the External Network via your P2P Connection
- This should be done at the OS Level of the NVA VM
- Also, make sure the P2S's address range is advertised to the External Network via the P2P Connection.
The above is just a suggestion from our end, explaining the generic case for a 3rd Party NVA.
I would recommend you check this with the vendor for your specific NVA and test it in a lower environment (such as Dev/Test) before trying in Production.
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.
- You have a 3rd party service running in an Azure VM(NVA) that is connecting the NVA to an External Network
-
Thomas Finbom • 5 Reputation points
2025-02-04T07:51:35.7933333+00:00 You mean the configuration on my p2p connection?
Here it is:
-
KapilAnanth-MSFT • 49,611 Reputation points • Microsoft Employee • Moderator
2025-02-04T08:49:42.7733333+00:00 I am afraid the information shared by you are conflicting.
Note that Azure VPN Gateway has no concept of P2P
- It only has P2S and S2S (You may be using other terminologies wrt your Vendor, but we refer to the IPSec VPN Connection established by Azure as S2S only)
- The screenshot you shared corresponds to a Azure S2S only
With that said,
- See : One VNet and a branch office (BGP)
- With BGP Enabled in your S2S Connection, the OnPrem clients should be able to connect to the P2S Clients and vice versa
I see BGP is disabled in your configuration, please enable BGP in your S2S Connection by following the steps here .
Post which, the Transit connection between P2S and S2S should work.
NOTE : Your OnPrem should also support BGP and BGP should be up for the connection.
Cheers,
Kapil
-
Thomas Finbom • 5 Reputation points
2025-02-04T09:07:27.7+00:00 Thanks for info!
I have made the suggested changes and tested them, but I am still unable to reach the external network from my P2S client. Here’s what I did:
1.
Enable BGP.
2.
In the P2P VPN connection, I added a new custom traffic selector:
Local address range: 10.0.x.x/24 (P2S range)
Remote address range: 192.x.x.0/24 (External network)
3.
In the P2S configuration, I added 192.x.x.0/24 to Additional routes to advertise.
4.
I reset both the VPN Connection and the Virtual Network Gateway (VNG) to ensure the new settings take effect.
5.
I re-downloaded and reinstalled the VPN Client to make sure it has the latest configuration.
Additionally, the route you mentioned (forwarding traffic from the VPN Gateway to the NVA VM) was already in place before making these changes.
Current issue:
My Azure VM can still communicate with the P2P network, but my P2S clients cannot.
The P2S clients still cannot reach any IPs in 192.x.x.0/24.
With the above testet. It must be 3rd party that are not allowing my P2S-connection then?
-
KapilAnanth-MSFT • 49,611 Reputation points • Microsoft Employee • Moderator
2025-02-04T09:27:55.33+00:00 - Can you confirm if the 3rd party supports BGP to begin with?
- You can test that using : BGP metrics and status
- Please share the routes learned and advertised info from this
- And make sure BGP peers show as connected
- Additionally, you shouldn't have to specify the Custom Traffic Selectors, you should disable them
- The whole concept of BGP is to automatically update the routes
Wrt, "It must be 3rd party that are not allowing my P2S-connection then?"
- It is possible
- Please check with them if they support BGP
- And if they do, what are the routes they are learning from Azure end?
- Does it include both the VNET Range and the P2S Range?
Cheers,
Kapil
Sign in to comment